Netflix Is At The Top of Our Brand Pyramid Today. Two Independent Axes. The Math Says Watch Tonight.

DugganUSA's brand-impersonation watch list ran its multi-axis aggregation this afternoon. Thirty candidate brands across five orthogonal signal axes. The top of the pyramid today is Netflix at 0.95 composite confidence, the only brand at that confidence band, and the only brand currently hitting two independent axes at the elevated level. The math is not a forecast; it is a description of two independent measurements that converged on the same target without coordination. The independent convergence is the part that matters.

The two axes

The first is Pattern 49 high-confidence brand impersonation. The detector flagged netflix.com.sitescorechecker.com — an attacker-staged subdomain that uses the standard "victim brand as subdomain of attacker domain" trick to bypass casual URL inspection. Anyone glance-reading the URL in an email or browser status bar sees "netflix.com" and assumes the rest is a path or a tracking parameter. The actual domain — sitescorechecker.com — is the attacker's. The infrastructure was first seen by our pipeline on April 28, 2026, and has remained live in the global view ever since. That is twenty-five days of operational uptime, which is not a casual reconnaissance probe; that is a brand-impersonation tool that the operator is actively maintaining for a reason.

The second is AIPM perception gap, our AI presence audit measurement. Netflix's combined-score is 47 out of 100, structure-score 28, with an AIPM Net Promoter Score of negative fifty. That negative-fifty NPS is the discriminative axis, and it means something specific. It is not a measurement of customer satisfaction; it is a measurement of how Claude, GPT-4o, Gemini, and Perplexity collectively perceive Netflix's brand authority when asked questions about cybersecurity posture, breach hygiene, and customer-facing trust signals. The combined output of the four-model quorum returns a substantially negative signal — the AI surface that consumers increasingly route through when asking "is this Netflix email legit" gives them a weak answer, which makes the consumer more likely to fall for the phishing infrastructure that the first axis already detected.

The two axes are independent. The Pattern 49 detector does not look at AIPM scores. The AIPM auditor does not look at impersonation infrastructure. They converged on the same brand. That convergence is the pyramid.

What "watch tonight" means

The brand-impersonation infrastructure attached to Netflix is live, the consumer-facing AI authority that would otherwise inoculate against confusion is weak, and the brand has the kind of broad consumer exposure that means even a single percent conversion on a phishing campaign at this scale produces tens of thousands of victims. The actor staging netflix.com.sitescorechecker.com is not in our index because they were noisy enough to be discovered; they are in our index because the certificate transparency log surfaced the SAN entry and our Pattern 49 detector ran the standard victim-brand-as-subdomain match. That detection is high-recall, high-precision, and reliably runs about seventy-two hours ahead of the phishing campaign that the staged infrastructure will eventually carry.

If you operate IT security for Netflix or for any organization with employees who routinely use a personal Netflix subscription, the action tonight is: add sitescorechecker.com and any subdomain to the deny list of your secure email gateway and corporate DNS. The blast radius of a phishing campaign that lands on a personal Netflix email account is meaningful even when the corporate environment is hardened, because credential reuse across personal-to-corporate boundaries remains the single most reliable initial-access vector in our observed dataset.

The wider lesson — independent convergence as a confidence multiplier

Single-axis signals are triangles. They surface artifacts. They are entertainment for analysts. Two independent axes hitting the same target is a pyramid — depth, corroboration, structural confidence that the signal is real. Our watch list is built to surface pyramids, not triangles, and to suppress single-axis alerts behind a 72-hour cross-index corroboration gate so that the analyst's attention is preserved for the cases that actually move. Netflix at 0.95 today is the example. Twenty-nine other candidates are at single-axis confidence and queued for the corroboration window. Some will graduate to pyramids in the next day or two. Most will quietly drop out.

The defender lesson is that the same independent-convergence frame works inside your own stack. If your email gateway flags a domain and your DNS resolver does not, that is a triangle. If your email gateway and your DNS resolver and your endpoint behavioral analytics all flag the same domain within seventy-two hours of each other, that is a pyramid, and the response time should match the confidence rather than the bureaucratic queue time.

The detector is built to enumerate the universe of brand-impersonation infrastructure under load, not to predict which adversary will fire on which target on which date. What the detector says today is that of thirty candidate targets, exactly one has two independent axes corroborating, and that one is Netflix. The math is in the open. The decision tree is the operator's. The receipt is timestamped April 28.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com